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ANONYMOUS ELECTRONIC VOTING SYSTEM AND 
ANONYMOUS ELECTRONIC VOTING METHOD 

5 TECHNICAL FIELD 
[0001] 

The present invention relates to anonymous electronic 
voting system and method and, more particularly, to an 
anonymous electronic voting system and an anonymous 
10 electronic voting method, which is capable of being used from 
various client environment. 

BACKGROUND TECHNOLOGY 
[0002] 

15 An anonymous electronic voting system is a system that 

electronically realizes uninscribed secret vote effected through 
a network, fore example. Examples of the conventional 
anonymous electronic voting system are described in Patent 
Publication 1 and a non-Patent Publication 1. In the following 

20 description, the "vote" includes a vote for electing a candidate 
from among candidates set beforehand, as well as a 
questionnaire etc. which allows a free description. In addition, 
the "candidate" and "candidate name" are directed not only to a 
candidate and a candidate name in an election, but also to an 

25 element (item) or an element name (item name) in a case 
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wherein the element or element name are selected by the 

intention of the voter from an assembly. 

[0003] 

As shown in Fig. 28, a conventional anonymous 
5 electronic voting system includes an anonymous decryption 
system 900 configured by a window center 901 and a plurality 
of decrypting shuffle centers 902, and a vote management 
center (voting server) 910 to which each voter will access. The 
anonymous decryption system 900 is provided in order to keep 
10 the secrecy of vote, and is used for outputting the decrypted 
result while securing secrecy for the correspondence between 
the voter and the encrypted voting data. 
[0004] 

The conventional anonymous electronic voting system 
15 having such a configuration operates as follows. 
[0005] 

First, the window center 901 and the decrypting shuffle 
center 902 create public information of the system, such as an 
encryption key for voting, and transmit the same to the vote 
20 management center 910, which notifies each voter of the public 
information. 
[0006] 

After the voting period starts, each voter encrypts own 
voting contents based on the public information, to create an 
25 encrypted voting contents, and also creates a digital signature 
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of the voter, transmitting the encrypted voting contents and the 
digital signature to the vote management center 910. At this 
stage, each voter creates the encrypted voting contents and the 
digital signature in the own client terminal, and transmits the 
5 encrypted voting contents and the digital signature to the vote 
management center 910 from the own client terminal through a 
variety of networks. The vote management center 910 verifies 
the received digital signature, examines the voting right of the 
voter based on the list of electorate names, and accepts the 
10 received, encrypted voting contents after confirming that there 
is no duplication of the vote. 
[0007] 

After the voting period expires, the vote management 
center 910 finishes registration of the votes, and transmits the 

15 list of the encrypted voting contents received between the start 
and the end of the voting period to the window center 901 of 
the anonymous decryption system 900. The window center 901 
decrypts the list of the encrypted voting contents through the 
decrypting shuffle center 902, permutes the voting contents in 

20 the list to obtain the list of plaintext voting contents, and 
returns the list of the plaintext voting contents to the vote 
management center 910. 
[0008] 

The vote management center 910 tallies (sums up) the 
25 voted results based on the list of the plaintext voting contents 
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received from the window center 901. 

Patent Publication 1: JP-2002-237810A 

Patent Publication 2: JP-2001-25 1289A 

Patent Publication 3: JP-2002-344445A 
5 Non-Patent Publication 1: "Realization of Large-scale 

Electronic Voting System using Shuffling" on second meeting 
of Information Processing Society of Japan, March, 2001, by 
SAKO, Kazue etc. including other six members. 



10 DISCLOSURE OF THE INVENTION 
Problem to be Solved by the Invention 
[0009] 

In the conventional anonymous electronic voting system, 
if the client terminal used by a voter is a device having a small 

15 storage capacity and a lower processing throughput, such as a 
cellular phone, a problem arises in that a vote securing the 
secrecy is difficult to achieve. This is because the encryption 
processing program used by the voter in the conventional 
anonymous electronic voting system is difficult to load on the 

20 device having a small storage capacity and a lower processing 
throughput, and on the other hand, if the voting contents are 
transmitted to and encrypted by another device, the voting 
contents are known to the another device executing the 
encryption processing. 

25 [0010] 
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In addition, there is another problem in the conventional 
anonymous electronic voting system in that it is difficult to 
verify the electorates and thus to prevent a vote by an 
unqualified electorate and/or duplicated votes in a vote (such as 
5 public office election) having a large number of public 
electorates. This is because, although the conventional 
electronic voting system premises that all the voters are 
registered on the common public-key-certificate base for the 
digital signature used for voters authentication, such a base has 
10 not been widely used heretofore. 
[0011] 

In view of the above, it is a first object of the present 
invention to provide an electronic voting system and an 
anonymous electronic voting method which are capable of 
15 performing the votes while securing the secrecy of a vote 
delivered even from a device having a small storage capacity 
and a lower processing throughput, such as a cellular phone. 
[0012] 

It is a second object of the present invention to provide 
20 an anonymous electronic voting system and an anonymous 
electronic voting method which are capable of performing an 
electorate certificate even if the condition where all the 
electorates are registered on the common-public-key 
authentication base is not yet established. 

25 
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Means for Solving the Invention 
[0013] 

The present invention provides, in a first aspect thereof, 
an anonymous electronic voting system including: 
5 a voter terminal for receiving a list of combinations of 

candidate name and encrypted candidate name, to transmit said 
encrypted candidate name of a selected candidate via a 
network; 

at least one encryption server for receiving and re- 
10 encrypting the encrypted candidate name to create encrypted 
voting data, and returning the encrypted voting data to the 
voter terminal having transmitted the encrypted candidate 
name; 

a voting server for receiving the encrypted voting data 
15 from the voter terminal to create a list of effective encrypted 
voting data from among received encrypted voting data, and 
transmitting the created list of the effective encrypted voting 
data via the network; and 

a decryption server for decrypting the list of the effective 
20 encrypted voting data received from the voting server, to create 
a list of plaintext candidate names rearranged from the list of 
the effective encrypted voting data, 

wherein the voting server receives the plaintext candidate 
names from the decryption server, to tally vote results based on 
25 the received plaintext candidate names. 
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[0014] 

In a preferred embodiment of the anonymous electronic 
voting system of the first aspect of the present invention, the 
voting server is connected to the decryption server (anonymous 
5 decryption system), and is provided with an encryption means, 
wherein a voter terminal having therein no encryption means is 
connected to an authentication server. The encryption server 
includes a re-encryption means, whereas the authentication 
server includes ID coalition means and a common-base- 
10 signature creation means. 
[0015] 

In the above configuration, the voting server transmits a 
combination of plaintext candidate name and encrypted 
candidate name to a voter terminal having no encryption means. 

15 The voter terminal having no encryption means transmits the 
encrypted candidate name corresponding to the candidate name 
elected by the voter via an encryption server after re-encrypting 
the encrypted candidate name. The voting server decrypts the 
received encrypted data by using an anonymous decryption 

20 system, to achieve the first object of the present invention. 
[0016] 

In addition, a voter terminal having no common-base- 
signature creation means performs intra-organization personal 
certification, the authentication server converts the voter ID in 
25 a closed organization into a common-base ID by using a ID 



coalition means, and transmits the combination of ID and voted 
contents by affixing thereto a common-base digital signature to 
the voter terminal. Thus, the authentication server certifies 
based on the digital signature of the authentication server that 
5 the personal certificate is performed using an existing 
authentication base, whereby the second object of the present 
invention can be achieved. 
[0017] 

The present invention provides, in a second aspect 
10 thereof, an anonymous electronic voting system including: 
voter terminals connected to a network; 
a first encryption server including a first data conversion 
means (206) for creating a first encryption parameter for each 
of the voter terminals from public information, and transmitting 
15 the first parameter to the voter terminals; 

a second encryption server including a second data 
conversion means for creating a second encryption parameter, 
and transmitting the second parameter to the voter terminals; 

a voting server for receiving encrypted voting data from 
20 the voter terminals to create a list of effective encrypted voting 
data from among received encrypted voting data, and 
transmitting the created list of the effective encrypted voting 
data via the network; and 

a decryption server for decrypting the list of the effective 
25 encrypted voting data received from the voting server, to create 
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a list of plaintext candidate names rearranged from the list of 
the effective encrypted voting data, wherein: 

the voting server receives the plaintext candidate names 
from the decryption server, to tally voted results based on the 
5 received plaintext candidate names; and 

the voter terminals each include an encryption means for 
encrypting voting contents based on the first and second 
encryption parameters to create encrypted voting data, and 
transmits the encrypted voting data to the voting server. 
10 [0018] 

In a preferred embodiment of the anonymous electronic 
voting system of the second aspect of the present invention, the 
voting server includes the first conversion means instead of the 
encryption means in the anonymous electronic voting system of 

15 the first aspect, and includes the second conversion means 
instead of the re-encryption means of the encryption server in 
the anonymous electronic voting system of the first aspect, and 
the voter terminal includes an encryption means (encrypted- 
data creation means). 

20 [0019] 

In the anonymous electronic voting system according to 
the preferred embodiment of the second aspect, the voting 
server performs a part of calculation necessary for encryption 
processing of the voting contents by using the first conversion 
25 means, to transmit the resultant encrypting parameter to the 



voter terminal, and the encryption server similarly performs a 
part of calculation necessary for encryption processing of the 
voting contents by using the second conversion means, to 
transmit the resultant encrypting parameter to the voter 
5 terminal. The voter terminal inputs, in addition to the voting 
contents, the first conversion result received from the voting 
server and the second conversion result received from the 
encryption server in the encrypted-data creation means to 
create encrypted voting data, whereby the first object of the 
10 present invention can be achieved. 

EFFECTS OF THE INVENTION 
[0020] 

The anonymous electronic voting system of the present 
15 invention achieves an advantage that the electronic voting can 
be performed even from a device having a small storage 
capacity and a lower processing throughput. This is because all 
the encryption processing or the conversion processing having 
a large computing amount in the encryption processing need 
20 not be executed by the voter terminals. 
[0021] 

In addition, the anonymous electronic voting system of 
the present invention achieves an advantage that the secrecy of 
the vote can be secured even if the vote is performed by a 
25 device having a small storage capacity and a lower processing 
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throughput. This is because the decryption of the encrypted 
voting data is performed by the decryption server, and thus the 
correspondence between the encrypted voting data and the 
plaintext cannot be known even after all the encrypted voting 
5 data are decrypted and because the plaintext voting contents are 
encrypted by both the voting server and the encryption server 
and thus each of the voting server and the encryption server 
alone cannot decrypt the encrypted voting data. 
[0022] 

10 In an anonymous electronic voting system of a preferred 

embodiment of the present invention, the voting can be effected 
while preventing an unjustified vote even if the condition 
wherein all the electorates are registered in the common- 
public-key authentication base is not established. This is 

15 because an electorate having a limited certification means in a 
specific organization can be verified by the authentication 
server, and the voting data thereof is affixed with the digital 
signature of the authentication server, whereby the data can be 
verified as such by the voter verified by the authentication 

20 server. 

BEST MODES FOR CARRYING OUT THE INVENTION 
[0023] 

Next, preferred embodiments of the present invention 
25 will be described in detail with reference to the drawings. 



[0024] 

[First Embodiment] 

Fig. 1 shows the configuration of an anonymous 
electronic voting system according to a first embodiment of the 
5 present invention. This anonymous electronic voting system 
includes voter terminals 100, 110, 120, 130, 140, 150 having 
different components and processing throughputs, a voting 
center (voting server) 200, an authentication server 300, 
encryption servers 400, 410, 440, and an anonymous decryption 

10 system 500. The encryption servers 400, 410, 440 are 
connected to the voter terminals 100, 110, 140, respectively. A 
variety of modes exist in the connection from the voter 
terminals 100, 110, 120, 130, 140, 150 to the voting center 200, 
and include a direct connection of some to the voting center 

15 200, and a connection of others to the voting center 200 via the 
authentication server 300, and a parallel connection including 
the direct connection and the connection via the authentication 
server 300. Here, two or more of each voter terminal 100, 110, 
120, 130, 140, or 150 may exist, although not illustrated for a 

20 simplification purpose. In addition, a single voter terminal 
may be connected to a single encryption server, or a plurality 
of voter terminals may be connected to a single encryption 
server. Moreover, the encryption server and the authentication 
server may operate on a common server. 

25 [0025] 
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First, the configuration of each voter terminal 100, 110, 
120, 130, 140, 150 will be described. 
[0026] 

The voter terminal 100 includes a display unit 101, such 
5 as a display, an input unit 102, such as buttons and a keyboard, 
and a device-side certification means 103, and is connected to 
the voting server 200, authentication server 300, and 
encryption server 400 via a communication line etc. 
[0027] 

10 The voter terminal 110 includes a display unit 111, such 

as a display, an input unit 112, such as buttons and a keyboard, 
and an intra-organization-base-signature creation means 113, 
and is connected to the voting server 200, authentication server 
300, and encryption server 410 via the communication line etc. 

15 [0028] 

The voter terminal 120 includes a display unit 121, such 
as a display, an input unit 122, such as buttons and a keyboard, 
a device-side certification means 123, and an encryption means 
124, and is connected to the voting server 200 and 
20 authentication server 300 via the communication line etc. 
[0029] 

The voter terminal 130 includes a display unit 131, such 
as a display, an input unit 132, such as buttons and a keyboard, 
an intra-organization-base-signature creation means 133, and 
25 an encryption means 134, and is connected to the voting server 
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200 and authentication server 300 via the communication line 

etc. 

[0030] 

The voter terminal 140 includes a display unit 141, such 
5 as a display, an input unit 142, such as buttons and a keyboard, 
and a common-base-signature creation means 143, and is 
connected to the voting server 200 and encryption server 440 
via the communication line etc. 
[0031] 

10 The voter terminal 150 includes a display unit 151, such 

as a display, an input unit 152, such as buttons and a keyboard, 
a common-base-signature creation means 153, and an 
encryption means 154, and is connected to the voting server 
200 via the communication line etc. 

15 [0032] 

The voting server 200 includes an electorate-list data 
base 201, a common-base signature verification means 202, an 
encryption means 203, and a storage device 204, such as a hard 
disk drive, and is connected to the voter terminals 100, 110, 
20 120, 130, 140, 150 and authentication server 300 via the 
communication line etc. 
[0033] 

The authentication server 300 includes a server-side 
certification means 301, an intra-organization-base-signature 
25 verification means 302, a common-base-signature creation 
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means 303, and an ID coalition means 304. 
[0034] 

The encryption servers 400, 410, 440 include re- 
encryption means 401, 411, 441, respectively. 
5 [0035] 

The device-side certification means 103, 123 of the voter 
terminal 100, 120 communicate with the server-side 
certification means 301 of the authentication server 300 so that 
the identifier of the voter operating the voter terminal is 
10 verified to be IDj, and communicate with the server-side 
certification means 301 of the authentication server 300 to 
notify the authentication server 300 of the identifier IDj of the 
voter j operating the voter terminal 100, 120. 
[0036] 

15 The encryption means 124, 134, 144, 154, 203, provided 

in the voter terminals 120, 130, 140, 150 and the voting server 
200, receive an encryption public key Y and a plaintext voting 
data V, and output encrypted voting data E(v) obtained by 
encrypting v based on Y. 

20 [0037] 

The re-encryption means 401, 411, 441 of the encryption 
servers 400, 410, 440 receive the encryption public key Y and 
encrypted voting data E(v), and output re-encrypted voting data 
E' (v) obtained by encrypting E(v) based on Y. 
25 [0038] 



The intra-organization signature creation means 113, 133 
of the voter terminals 110, 130 receive the encrypted voting 
data E(vj), intra-organization identifier IIDj of the voter j and a 
signature private key (secret key) dj, and output a digital 
5 signature Sej for the data (E(vj), IIDj) directed to the 
organization of the voter j. 
[0039] 

The intra-organization-signature verification means 302 
of the authentication server 300 receives encrypted voting data 
10 E(vj), intra-organization identifier IIDj, intra-organization 
digital signature Sej and verification public key Pj, and judges 
whether or not Sej is correctly calculated for the data (E(vj), 
IIDj) based on the signature public key dj. 
[0040] 

15 The common-base-signature creation means 143, 153 of 

the voter terminals 140, 150 receive the encrypted voting data 
E(vj), common identifier CIDj of the voter j and signature 
private key dj, and output the common-base digital signature 
Sej of the voter j for the data (E(vj), CIDj). 

20 [0041] 

The common-base-signature creation means 303 of the 
authentication server 300 receives the encrypted voting data 
E(vj), common identifier CIDj of the voter j, and signature 
public key dk for the authentication server, and outputs the 
25 common-base digital signature Sek of the voter j for the data 



17 



(E(vj), CIDj). 
[0042] 

The common-base-signature verification means 202 of 
the voting center 200 receives the encrypted voting data E(vj), 
5 common identifier CIdj, and common-base digital signature 
Sek, and judges whether or not Sek is correctly calculated 
based on the signature private key dk for the data (E(vj), CIDj). 
[0043] 

The correspondence between the intra-organic identifier 
10 IIDj and the common identifier CIDj is registered in the ID 
coalition means 304 of the authentication server 300, and if an 
intra-organic identifier IIDj is input thereto, a corresponding 
common identifier CIDj is output therefrom. 
[0044] 

15 The anonymous decryption system 500 creates and 

outputs an encryption public key Y in accordance with the 
default information input from the outside. If the list of 
encrypted voting data E(vj) is input from the outside, the 
anonymous decryption means 500 decrypts the list of E(vj) and 

20 outputs the list of the plaintext voting data vj rearranged at 
random, and the data certifying presence of the one-to-one 
correspondence between the list of the input E(j) and the output 
vj. 

[0045] 

25 The intra-organization-signature creation means 113, 133 
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of the voter terminals 110, 130, the common-base-signature 
creation means 143,153 of the voter terminals 140, 150, and the 
common-base-signature creation means 303 of the 
authentication server 300 each are provided for creating a 
5 digital signature. On the other hand, the intra-organization- 
signature verification means 302 of the authentication server 
300 and the common-base-signature verification means 202 of 
the voting server 200 are provided for verifying the digital 
signature. A digital signature using a common public key, such 
10 as RSA encryption, may be used as this digital signature. If the 
RSA encryption is used here, the signature Sjv of the signer j 
for the data V is calculated by using the V and signature 
private key dj of the signer j by the following relationship: 
SjvrrV^dj mod n, 

15 and the signature verification is successfully performed if the 

following relationship holds: 
Sjv''ej=V mod n, 

by using the V, Sjv, and verification public key ej. It is to be 

noted that means the symbol of raise-power, and thus Vdj 
20 means the result of raising V to the dj-th power (i.e., V**^). 

[0046] 

Here, dj, ej, and n are integers expressed by: 
n=pXq; and 

djXej=l mod (p-1) X (q-l), 
25 for two prime factors p and q. A pair (dj, ej) which is unique 



for each signer is created for each signer j, and dj is held in 
secrecy by the each signer j whereas a pair (n, ej) is open to 
public in relation to the identifier IDj of the signer j. For 
verification of the signature, a verification processing is 
5 conducted by retrieving the correspondence between the open 
IDj and (n, ej) to obtain the (n, ej). The dj is referred to as 
signature-creation private key whereas the (n, ej) is referred to 
as signature-verification public key. 
[0047] 

10 The identifier IDj in the intra-organization-signature 

creation means 113, 133 and intra-organization-signature 
verification means 302 is an intra-organization identifier, such 
as an employee code, open to and used in only the internal of a 
specific organization. Thus, it is possible that the identifiers 

15 allocated to different persons belonging to different 
organizations are the same IDj, whereas the correspondence 
between such an identifier and the identifier of the electorate 
(such as electorate name) registered in an electorate list is not 
necessarily open to the public. The combination of the 

20 signature-verification public key (n, ej) corresponding to the 
IDj may be open to only the internal of the organization as well. 
[0048] 

On the other hand, the identifier IDj of the signer as well 
as (n, ej) in the common-base-signature creation means 143, 
25 153, 303 and common-base-signature verification means 202 is 



widely open to the public, and thus is a common identifier 
which is not allocated to different persons. Information 
including the common identifier is registered in the electorate 
list database 201. 
5 [0049] 

The device-side certification means 103, 123 of the voter 
terminals 100, 120 and the server-side certification means 301 
of the authentication server 300 are provided to perform 
personal certification. Here, the personal certification based on 
10 an ID-character train and a password, as well as the personal 
certification based on an terminal certificate in a cellular phone 
system can be used. 
[0050] 

For performing personal certification based on the ID- 
15 character train and the password, the correspondence between 
the intra-organization identifier of the voter and the password 
is registered beforehand in the authentication server 300. The 
device-side certification means 103, 123 transmits the intra- 
organization identifier IIDj of the voter, input via the input unit 
20 102, 122, to the authentication server 300. The server-side 
certification means 301 confirms that the received IIDj is 
included in the list of intra-organization identifiers which are 
registered beforehand, creates random number c, and returns 
the same to the voter terminal 100, 120. The device-side 
25 certification means 103, 123 inputs the password pw input via 
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the input unit 102, 122 and the random number c into a hash 
function, such as SHAl, and returns the resultant output value r 
to the authentication server 300. The server-side certification 
means 301 retrieves the pw corresponding to the IIDj from the 
5 list of the intra-organization identifiers and passwords by using 
the IIDj as a key. The server-side certification means 301 
inputs the pw and c into the hash function, such as SHAl, and 
recognizes the voter operating the voter terminal 100 120 as the 
voter identified by the IIDj, if the resultant output value 
10 coincides with the value r returned from the voter terminal 100, 
120. 
[0051] 

In the present embodiment, the techniques described in 
the Patent Publication 1, for example, can be used for the 
15 encryption means 123, 133, 153, 203 provided in the voter 
terminal 120, 130, 150 and the voting server 200, the re- 
encryption means 401, 411, 441 provided in the encryption 
server 400, 410, 440, and the anonymous decryption system 50. 
[0052] 

20 If the techniques described in the Patent Publication 1 are 

used, upon input of the security parameters (pL, qL, t) and 
session ID from the voting center 200, the anonymous 
decryption means 500 will create the public information (p, q, 
g) and a private key X based on the (pL, qL, t), output the 

25 public information (p, q, g, Y) after adding the public key Y to 
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the public information, and return the same to the voting center 
200. Here, p and q are the parameters of ElGamal encryption, 
and are prime factors defined by the following relationship: 
p=kXq +1, 

5 where k is an integer. The g is a source which creates the 
subgroup of orders q in modulo p. The pL and qL are the 
length of the prime factors p and q, and the t is the number of 
repetition times to be used for creation and verification of the 
data in order for certifying that a correct processing is 

10 performed for the change of the sequential order. The session 
ID is an identifier for distinguishing the object for the 
processing. Examples of the object for processing include 
election of a prefectural governor and city council members. 
The public key Y is obtained for the decryption key X by 

15 calculating: 

Y=g'^X mod q, 

where the decryption key X is a random number which is 

selected at random from the numbers below q. 

[0053] 

20 The encryption means 123, 133, 153, 203 receives the 

public information (p, q, g, Y) and plaintext voting data vi, and 
outputs encrypted voting data E(vi). The E(vi) is expressed by 
the pair (Gi, Vi) by calculating: 

(Gi, Vi) = (g'^r mod p, viX Y'^r mod p), 

25 where r is a random number selected at random for the 
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plaintext voting data vi. 
[0054] 

In addition, it is possible in the present embodiment to 
create a certificate that the encrypted voting data is created 
5 after legitimately knowing the r. For example, after generating 
a random number si in the encryption of vi, the random number 
verification data ex i and ti are created by using; 
(X i=g^si mod p; 

ci=HASH (p, q, g, Y, Gi, Vi, a i); and 
10 ti=ci X ri+si mod p. 

This certificate can be verified by calculating: 

ci=HASH (p, q, g, Gi, a i), and 
by examining whether or not the following relationship holds: 

g'tiXGi'^l-ci} =ai mod p. 
15 Here, HASH (p, q, g, Y, Gi, Vi, Of i) is a value obtained by 
inputting p, q, g, Y, Gi, Vi, and a i into the hash function, such 
as SHAl. 
[0055] 

The re-encryption means 401, 411, 441 receives the 
20 public information (p, q, g, Y) and encrypted voting data E(vi) 
= (Gi, Vi), and outputs encrypted voting data E'(vi). E'(vi) is 
expressed by the group (G'i, Vi), and is obtained by 
calculating: 

(G'i, V'i)= (GiXg'^s mod p, ViXY'^s mod p). 
25 Here, s is a random number selected at random for the 



encrypted voting data E(vi). It is to be noted that the following 
equation holds: 

(G'i, V'i) = (GiXg'^s mod p, ViXV^s mod p) 

= (g'^ir+s} mod p, viX V{r+s} mod p), 
5 and the plaintext voting data vi can be obtained by processing 
E'(vi) similarly to the decryption processing conducted to E(vi). 
That is, E(vi) and E'(vi) can be similarly treated for the 
decryption processing thereof. 
[0056] 

10 After the voting center 200 inputs the list of Ei= (Gi, Vi) 

and session ID into the anonymous decryption system 500, the 
anonymous decryption system 500 decrypts the list of (Gi, Vi) 
based on the public information (p, q, g, Y) and decryption key 
X specified by the session ID, and returns the list of plaintext 

15 voting data vi, which are rearranged in the order at random, and 
the certification data, which certifies presence of the one-to- 
one correspondence between the list of (Gi, Vi) and the list of 
vi, to the voting center 200. 
[0057] 

20 The techniques described in Patent Publication 1 are used 

as the methods for creating p, q, g and X, decrypting the list of 
(GI, Vi), rearranging the order thereof, certifying the presence 
of the one-to-one correspondence between the list of (Gi, Vi) 
and the list of vi and verifying the same. 

25 [0058] 
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In this context, inputs and outputs of the constituent 
elements are described mainly in the case of using the 
techniques described in Patent Publication 1. It is to be noted 
that techniques for certifying the presence of the one-to-one 
5 correspondence between the list of encrypted data and the data 
list output after the decryption thereof, without any leak-out of 
the information of the concrete correspondence itself are 
described in JP-2001-251289A (Patent Publication 2), JP-2002- 
344445A (Patent Publication 3) etc., and that the encryption 
10 means 123, 133, 153, re-encryption means 401, 411, 441, and 
anonymous decryption system 500 may be realized by using 
those techniques. 
[0059] 

Next, overall operation of the anonymous electronic 
15 voting system of the present embodiment will be described. 
[0060] 

Fig. 2 shows operation for the default of the anonymous 
electronic voting system of the present embodiment. First, the 
voting server 200 transmits security parameters (pL, qL, t) and 

20 session ID to the anonymous decryption system 500 (step Al). 
The anonymous decryption system 500 creates public 
information (p, q, g, Y) based on (pL, qL, t) (step A2), and 
returns the same to the voting server 200 (step A3). The voting 
server 200 registers (p, q, g, Y) in the storage device 204 (step 

25 A4). Thus, the default is finished. 
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[0061] 

Next, operation of the vote using the voter terminals 100, 
110, 120, 130, 140, 150 will be described with reference to 
Figs. 3 to 9. Figs. 3 to 8 show processings by the voter 
5 terminals 100, 110, 120, 130, 140, 150 (as well as processings 
by the voting server, authentication server, and encryption 
server, relevant to the processings by the voter terminals). Fig. 
9 describes processings corresponding to operation from the 
start of reception of votes to the tally of votes. 
10 [0062] 

After the voting period stars, a voter, i.e., electorate, 
accesses to the voting server 200 via one of the voter terminals 
100, 110, 120, 130, 140, 150. At this stage, in a vote from the 
voter terminal 100, 110, 140, an encrypted-voting-information 

15 request is transmitted (step A5-1 in Figs. 3, 4, 7), whereas in a 
vote from the voter terminal 120, 130, 150, a mere voting- 
information request is transmitted (step A5-2 in Figs. 5, 6, 8). 
The voting server 200, upon receiving the encrypted-voting- 
information request from the voter terminal 100, 110, 140, 

20 encrypts all the candidate names vj based on the public 
information (p, q, g, Y) to create the list of (vj, E(vj)) (step A6 
in Figs. 3, 4, 7), and returns the public information (p, q, g, Y) 
and list of (vj, E(vj)) to the voter terminal 100, 110, 140 (step 
A7-1 in Figs. 3, 4, 7). On the other hand, if the voting server 

25 receives a mere voting-information request from the voter 
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terminal 120, 130 or 150, the voter terminal 200 returns the 
public information (p, q, g, Y) and list of plaintext candidate 
names vj to the voter terminal 120, 130, 150 (step A7-2 in Figs. 
5, 6, 8). 
5 [0063] 

Hereinafter, processings up to transmission of the voting 
data are separately described for each of the voter terminals 
100, 110, 120, 130, 140, 150. 
[0064] 

10 The voter terminal 100, upon receiving (p, q, g, Y) and 

the list of (vj, E(vj)), as shown in Fig. 3, displays the list of vj 
on the display unit 101, and the voter elects and inputs a 
candidate name vi from the list of vj via the input unit 102 
(step AlOO-l). Thus, the voter terminal 100 transmits E(vi) 

15 corresponding to vi and the public information (p, q, g, Y) to 
the encryption server 400 (step AlOO-2). Next, the encryption 
server 400 inputs the received E(vi) and public information (p, 
q, g, Y) to the re-encryption means 401 to calculate E'(vi) by 
re-encrypting E(i) (step AlOO-3), and returns E'(i) to the voter 

20 terminal 100 (step AlOO-4). Then, the voter terminal 100 
acquires the intra-organization identifier IIDi of the voter 
through the input unit 102, certifies the intra-organization 
identifier IIDi to the authentication server 300 by using the 
terminal-side certification means 103 (step AlOO-5), and 

25 transmits E'(vi) to the authentication server 300 (step AlOO-6). 
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[0065] 

The authentication server 300 inputs the intra- 
organization identifier IIDi of the voter confirmed by the 
server-side certification means 301 into the ID coalition means 
5 304, and obtains the corresponding common identifier CIDi 
(step AlOO-7). Then, in the authentication server 300, the pair 
(E'(vi), CIDi) and the signature private key dk for the 
authentication server 300 are input to the common-base- 
signature creation means 303, whereby the common-base 
10 signature Sek of the authentication server 300 for (E'(vi), 
CIDi) is created (step AlOO-8). The authentication server 300 
transmits (Ei, CIDi) = (E'(vi), CIDi) and Sek to the voting 
server 200 (step AlOO-9). 
[0066] 

15 The voter terminal 110, upon receiving (p, q, g, Y) and 

the list of (vj, E(vj)), as shown in Fig. 4, displays the list of vj 
to the voter on the display unit 111, and the voter elects and 
inputs a candidate name vi from the list of vj via the input unit 
112 (step AllO-1 in Fig. 4). The voter terminal 110 transmits 

20 E(vi) corresponding to vi and the public information (p, q, g, 
Y) to the encryption server 410 (step AllO-2 in Fig. 4). The 
encryption server 410 inputs the received E(vi) and public 
information (p, q, g, Y) into the re-encryption means 411 to 
calculate E'(vi) by re-encrypting E(vi) (step AllO-3, and 

25 returns E'(vi) to the voter terminal 110 (step AllO-4). The 
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voter terminal 110 inputs the intra-organization identifier IIDi 
of the voter and signature private key di into the intra- 
organization-signature creation means 113, calculates the intra- 
organization digital signature Sei for (E'(vi), IIDi) (step AllO- 
5 5), and returns (E'(vi), IIDi) and Sei to the authentication 
server 300 (step AllO-6) 
[0067] 

The authentication server 300 verifies whether or not Sei 
is legitimately calculated for (E'(vi), IIDi) based on the 

10 signature private key di in the intra-organization-signature 
verification means 302 (step AllO-7). If successfully verified, 
the authentication server 300 acquires a common identifier 
CIDi corresponding to IIDi in the ID coalition means 304 (step 
AllO-8). Next, the authentication server 300 inputs E'(vi), 

15 CIDi and the signature private key dk for the authentication 
server 300 into the common-base-signature creation means 303, 
to output the common-base digital signature Sek of the 
authentication server for (E'(vi), CIDi) (step AllO-9), and 
transmits (Ei, CIDi) = (E'(vi), CIDi) and Sek to the voting 

20 server 200 (step Al 10-10). 
[0068] 

The voter terminal 120, upon receiving (p, q, g, Y) and 
the list of vj, displays the list of vj to the voter on the display 
unit 121, and the voter elects and inputs a candidate name vi 
25 from the list of vj via the input unit 122 (step A120-1). The 
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voter terminal 120 inputs vi and the public information (p, q, g, 
Y) into the encryption means 124, to create E(vi) by encrypting 
vi based on Y (step A120-2). Next, the voter terminal 120 
certifies the intra-organization identifier IIDi of the voter to the 
5 authentication server 300 by using the device-side certification 
means 123 (step A120-3), and transmits E(vi) to the 
authentication server 300 (step A120-4). 
[0069] 

The authentication server 300 inputs the intra- 
10 organization identifier IIDi of the voter confirmed by the sever- 
side certification means 301 into the ID coalition means 30, to 
obtain a corresponding common identifier CIDi (step A120-5). 
The authentication server 300 then inputs the pair (E(vi), CIDi) 
and signature private key dk of the authentication server 300, 
15 CIDi) into the common-base-signature creation means 303, to 
create the common-base-signature Sek for (E(vi), CIDi) (step 
A120-6), and transmits (Ei, CIDi) = (E(vi), CIDi) and Sek to 
the voting server 200 (step A120-7). 
[0070] 

20 The voter terminal 130, upon receiving (p, q, g, Y) and 

the list of vj, as shown in Fig. 6, displays the list of vj to the 
voter on the display unit 131, and the voter elects a candidate 
name vi from the list of vj and inputs the same via the input 
unit 132 (step A130-1). The voter terminal 130 then inputs vi 

25 and the public information (p, q, g, Y) into the encryption 



means 134, to create E(vi) by encrypting vi based on Y (step 
A130-2). The voter terminal 130 then inputs the intra- 
organization identifier IIDi of the voter i, signature private 
keys di and E(vi) into the intra-organization-signature creation 
5 means 133 to calculate the intra-organization digital signature 
Sei for (E(vi), IIDi) (step A130-3), and transmits (E(vi), IIDi) 
and Sei to the authentication server 300 (step A130-4). 
[0071] 

The authentication server 300 verifies whether or not Sei 
10 is legitimately calculated based on the signature private key di 
for (E(vi), IIDi) in the intra-organization-signature verification 
means 302 (step A130-5). If successfully verified, the 
authentication server 300 acquires a common identifier CIDi 
corresponding to IIDi in the ID coalition means 304 (step 
15 A130-6). The authentication server 300 inputs E(vi), CIDi and 
the signature private key dk of the authentication server 300 
into the common-base-signature creation means 303, to output 
a common-base digital signature Sek of the authentication 
server 300 for E(vi), CIDi) (step A130-7), and transmits (Ei, 
20 CIDi) = (E(vi), CIDi) and Sek to the voting server 200 (step 
A130-8). 
[0072] 

The voter terminal 140, upon receiving (p, q, g, Y) and 
the list of (vj, E(vj)), as shown in Fig. 7, displays the list of vj 
25 to the voter on the display unit 141, and the voter elects and 



inputs a candidate name vi from the list of vj via the input unit 
142 (step A140-1). The voter terminal 140 then transmits E(vi) 
corresponding to vi and public information (p, q, g, Y) to the 
encryption server 440 (step A140-2). The encryption server 
5 440 inputs the received E(vi) and the public information (p, q, 
g, Y) into the re-encryption means 441 to calculate E'(vi) by 
re-encrypting E(vi) (step A140-3), and returns E'(vi) to the 
voter terminal 140 (step A140-4). The voter terminal 140 then 
inputs the common-base identifier CIDi of the voter i, signature 

10 private key di and E'(vi) into the common-base-signature 
creation means 143, to calculate the common-base digital 
signature Sei for (E'(vi), CIDi) (step A140-5), and transmits 
(Ei, CIDi) = (E'(vi), CIDi) and Sei to the voting server 200 
(step A140-6) 

15 [0073] 

The voter terminal 150, upon receiving (p, q, g, Y) and 
the list of vj, as shown in Fig. 8, displays the list of vj to the 
voter on the display unit 151, and the voter elects and inputs a 
candidate name vi from the list of vj via the input unit 152 

20 (step A150-1). The voter terminal 150 inputs vi and the public 
information (p, q, g, Y) into the encryption means 154, to 
creates E(vi) by encrypting vi based on Y (step A150-2). The 
voter terminal 150 then inputs the common-base signature CIDi 
of the voter, signature private key di and E(vi) into the 

25 common-base-signature creation means 153, to calculate the 
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common-base digital signature Sei for (E(vi), CIDi) (step 
A150-3), and transmits (Ei, CIDi) = (E(vi), CIDi) and Sei to 
the voting server 200 (step A150-4) 
[0074] 

5 The processings up to transmission of the voting data are 

described above. The processings for receiving the voting data 
and tallying the votes after close of the votes will be described 
hereinafter, with reference to Fig. 9. 
[0075] 

10 The voting server 200, upon receiving (Ei, CIDi) and Sek 

from the authentication server 300, confirms that Sek is the 
legitimate signature by the authentication server 300 for (Ei, 
CIDi), in the common-base-signature verification means 202 
(step A8-1). The voting server 200 retrieves in the electorate 

15 list database 201 to assure that CIDi is registered and vote from 
CIDi is not received before (step A9-1), and registers (Ei, 
CIDi) and Sek in the voting-data storage device 204, and 
records in the electorate list database 201 the fact that the vote 
by CIDi is finished (step AlO-l). The voting server 200, upon 

20 receiving (Ei, CIDi) and Sei from the voter terminal 140, 150, 
confirms that Sei is the legitimate signature of the voter i for 
(Ei, CIDi) by using the common-base-signature verification 
means 202 (step A8-2). The voting server 200 retrieves in the 
electorate list database 201 to assure that CIDi is registered 

25 therein and vote from CIDI is not received before (step A9-2), 
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registers (Ei, CIDi) and Sek in the voting-data storage device 
204, and records in the electorate list database 201 the fact that 
the vote by CIDi is finished (step AlO-2). 
[0076] 

5 After the vote is closed, the voting server 200 transmits 

the list of all the Ei recorded in the voting-data storage device 
204, and the session ID transmitted to the anonymous 
decryption system 500 in step A2 to the anonymous decryption 
system 500 (step All). The anonymous decryption system 500 

10 decrypts the list of Ei based on the public information (p, q, g, 
Y) specified in session ID and the private key X, to create the 
list of plaintext voting data vj rearranged therefrom at random 
and certificate data z certifying presence of the one-to-one 
correspondence between the list of Ei and the list of vj (step 

15 A12), and returns the list of vj and the z to the voting server 
200 (step A13). The voting server 200 tallies the votes based 
on the received plaintext voting data vj, and releases the result 
of tally (step A14). 
[0077] 

20 Next, advantages of the present embodiment will be 

described. 
[0078] 

In the present embodiment, the voting server 200 
transmits encrypted voting data to the voter terminals 100, 110, 
25 140, and the encryption servers 400, 410, 440 re-encrypt the 
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encrypted voting data elected by the voters and transmit the 
resultant data to the voting server 200. Thus, even a voter 
terminal having no encryption means can perform a vote while 
securing the secrecy of the vote. In addition, since the voter 
5 terminals 100, 120 include the device-side certification means 
103, 123 and the authentication server 300 includes the server- 
side certification means 301, a certification can be effected 
without using a digital signature, and even the voter terminals 
having no signature creation means can vote by transmitting the 

10 encrypted voting data to the voting server 200 while affixing 
the common-base digital signature of the authentication server 
300. Further, since the voter terminals 100, 120 include the 
intra-organization-signature creation means 113, 133 and the 
authentication server 300 includes the intra-organization- 

15 signature verification means 302 and the ID coalition means 
304, the encrypted voting data affixed with the intra- 
organization digital signature can be verified by the 
authentication server 300, and then transmitted to the voting 
server 200 while being affixed with the common-base signature 

20 of the authentication server 300 after the intra-organization 
identifier is converted into the common-base identifier, 
whereby all the voters can vote even if the voters are not 
registered in the common open-key authentication base. 
[0079] 

25 Although the case wherein a single authentication server 



300 is provided is described herein, different authentication 
servers may be provided for respective organizations if the 
voters belong to different organizations. 
[0080] 

5 [Second Embodiment] 

Next, a second embodiment of the present invention will 
be described with reference to drawings. The anonymous 
electronic voting system of the second embodiment shown in 
Fig. 10 is such that the voting terminals 100, 110, 140 include 
10 encrypted-data creation means 104, 114, 144, the encryption 
means 203 in the voting server 200 is replaced by a first 
conversion means 206 and an encryption-certificate verification 
means 207, the re-encryption means 401, 411, 441 are replaced 
by second conversion means 405, 415, 445, and a conversion 
15 verification server 700 including a conversion verification 
means 701 is provided, in the anonymous electronic voting 
system of the first embodiment shown in Fig. 1. 
[0081] 

The first conversion means 206 receives the open 
20 information, and outputs first conversion data (first encryption 
parameters) and first conversion-certificate data. 
[0082] 

The second conversion means 405, 415, 445 receives the 
public information, and outputs second conversion data (second 
25 encryption parameters) and second conversion-certificate data. 
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[0083] 

Encrypted data creation means 104, 114, 144 receives the 
public information, first conversion data, first conversion- 
certificate data, second conversion data, second conversion- 
5 certificate data and plaintext voting contents, and outputs the 
encrypted voting data E(i) and an encryption certificate which 
certifies that E(vi) is legitimately created. 
[0084] 

The encryption-certificate verification means 207 
10 receives the public information, encrypted voting data E(vi) 
and encryption-certificate data, and verify whether or not E(vi) 
is legitimately created. 
[0085] 

The first conversion means 206, second conversion means 
15 405, 415, 445, encrypted-data creation means 104, 114, 144, 
and encryption-certificate verification means 207 operate as 
described hereinafter, if the techniques described in Patent 
Publication 1 are applied to the anonymous decryption system 
500. 

20 

[0086] 

The first conversion means 209, upon input of the public 
information (p, q, g, Y) thereto, selects a random number r 
smaller than q, and d at random, and calculates: 
25 (Gr, Yr, r) = (g'^r mod p, Y"r mod p, r). 
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to output first conversion data (Gr, Yr, r), and also calculates: 

(Gd, d) = (g'^d mod p, d) 
to output first conversion-certificate data (Gd, d). 
[0087] 

5 The second conversion means 405, 415, 445, upon input 

of the public information (p, q, g, Y) thereto, selects a random 
number s smaller than q, and calculates: 

(Gs, Ys, s) = (g'^s mod p, Y'^s mod p, s) 
to output second conversion data (Gs, Ys, s), and calculate: 
10 (Gu, u) = (g'^u mod p, u) 

to output second conversion data (Gu, u). Here, u is a random 

number selected at random and smaller than q. 

[0088] 

The encrypted-data creation means, upon input of the 
15 first conversion data (Gr, Yr, r), first conversion-certificate 
data (Gd, d), second conversion data (Gs, Ys, s), second 
conversion-certificate data (Gu, u), and plaintext voting 
contents vi, calculates: 

E(vi) = (Gr X Gs mod p, vi X Yr X Ys mod p) 
20 to obtain encrypted voting data E(vi). In addition, the 
encrypted-data creation means calculates: 
a=GuXGd mod p; 
c=HASH (p, q, g, Y, Gi, Vi, a ); and 
t=cX(r+s)+u+d mod q 
25 to obtain the encryption-certificate data {oc , i) and output the 
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encryption-certificate data ( Of , t) in addition to the encrypted 
voting data (Gi, Vi). 
[0089] 

The certificate using the encryption-certificate data is 
5 verified by the encryption-certificate verification means 207 
calculating: 

c=HASH (p, q, g, Y, Gi, Vi, a ) , 
and assuring whether or not the following relationship holds: 
g''tXGi''{-c} = a mod p. 
10 [0090] 

The conversion verification means 701 verifies whether 
or not the conversion data (Gr, Yr, r) and conversion-certificate 
data (Gd, d) are legitimately created based on the public 
information (p, q, g, Y). If the techniques described in Patent 
15 Publication 1 are used in the the anonymous decryption system 
500, the conversion verification means 701 receives the public 
information (p, q, g, Y), conversion data (Gr, Yr, r), and 
conversion-certificate data (Gd, d), and judges acceptable if all 
the following equations hold: 
20 Gr=G''r mod p; 

YrsY'^r mod p; and 
Gd=Y'^d mod p, 
and judges unacceptable if any one of those does not hold. 
[0091] 

25 Next, operation of the anonymous electronic voting 
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system of the present embodiment will be described. Figs. 11 
to 13 show processings in the voter terminals 100, 110, 140, 
respectively, (and processings by the voting server, 
authentication server, and encryption server relevant to the 
5 processings in those voter terminals), and Fig. 14 explains 
processings from the start of receiving the votes to the tally 
thereof. It is to be noted that the operation in the default in the 
present embodiment is similar to that in the first embodiment, 
and that operation of the voter terminals 120, 130, 150 is 
10 similar to that in the first embodiment, and thus those 
operations are omitted for description. 
[0092] 

Hereinafter, processings from access to the voting server 
200 by the voter terminal 100, 110, 140 to transmission of the 
15 voting data will be described. 
[0093] 

The voter terminal 100, 110, 140 transmits a voting- 
information request and a conversion-data request to the voting 
server 200 (step B5 in Figs. 11, 12, and 13). The voting server 

20 2 00, upon receiving the conversion-data request, inputs the 
public information (p, q, g, Y) into the first conversion means 
206, to create the first conversion data (Gr, Yr, r) and first 
conversion-certificate data (Gd, d) (step B6 in Figs. 11, 12, 13), 
and returns these data (p, q, g, Y), (Gr(s), Yr(s), r) and (Gd, d) 

25 to the voter terminal 100, 110, 140 (step B7 in Figs. 11, 12, 13). 



The voter terminals 100, 110, 140, upon receiving (p, q, g, Y), 
(Gr, Yr, r) and (Gd, d) from the voting server 200, transmit (p, 
q, g, Y) and a conversion-data request to the encryption server 
400, 410, 440, respectively, (step BlOO-1, BllO-1, B140-1 in 
5 Figs. 11, 12, and 13,). The encryption servers 400, 410, 440, 
upon receiving the public information (p, q, g, Y) and 
conversion-data request, input the public information (p, q, g, 
Y) into the respective second conversion means 405, 415, 445, 
to create the second conversion data (Gs, Ys, s) and second 
10 conversion-certificate data (Gu, u) (steps BlOO-2, BllO-2, 
B140-2 in Figs. 11, 12, 13), and returns (Gs, Ys, s) and (Gu, u) 
to the voter terminals 100, 110, 140, respectively (steps BlOO-3, 
BllO-3, B140-3 in Figs. 11, 12, 13). 
[0094] 

15 Hereinafter, part of processings up to the transmission of 

the voting data different from that of the first embodiment will 
be described separately for the respective voter terminals 100, 
110, 140. 
[0095] 

20 The voter terminal 100, as shown in Fig. 11, upon 

receiving the first conversion data (Gr, Yr, r), first conversion- 
certificate data (Gd, d), second conversion data (Gs, Ys, s) and 
second conversion-certificate data (Gu, u), inputs the voting 
contents vi input by the voter i, as well as (Gr, Yr, r), (Gd, d), 

25 (Gs, Ys, s) and (Gu, u) to the encryption creation means 104, to 
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calculate encrypted voting data E(vi) and encryption-certificate 
data (CK, t) (step BlOO-4), and transmits E(vi) and (a, t) to the 
authentication server 300 after certification of IIDi (step BIOO- 
6). The authentication server 300 creates the common-base 
5 digital signature Sek of the authentication server 300 for (E(vi), 
(Q!, t), CIDi) (step BlOO-8), and transmits (E(vi) (a, t), CIDi) 
and Sek to the voting server 200 (step BlOO-9) 
[0096] 

The voter terminal 110, as shown in Fig. 12, upon 

10 receiving the first conversion data (Gr, Yr, r), first conversion- 
certificate data (Gd, d), second conversion data (Gs, Ys, s) and 
second conversion-certificate data (Gu, u), inputs the voting 
contents vi input by the voter i, as well as (Gr, Yr, r), (Gd, d), 
(Gs, Ys, s) and (Gu, u) to the encryption creation means 114, to 

15 calculate encrypted voting data E(vi) and encryption-certificate 
data (05, t) (step BllO-4). The voter terminal 110 then creates 
the intra-organization digital signature Sei for (E(vi), (a , t), 
IIDi) (step BllO-5), and transmits (E(vi), (a, t), IIDi) and Sei 
to the authentication server 300 (step BllO-6). The 

20 authentication server 300 confirms that Sei is the legitimate 
signature of IIDi for (E(vi), ( Q! , t), IIDi) (step BllO-7), 
acquires a common identifier CIDi corresponding to IIDi from 
the ID coalition means 304 (step AllO-8), creates the common- 
base digital signature Sek of the authentication server 300 for 

25 (E(vi), ( a , t), CIDi) (step BllO-9), and transmits (Ei=E(vi) ( a , 
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t), CIDi) and Sek to the voting server 200 (step Bl 10-10) 
[0097] 

The voter terminal 140, as shown in Fig. 13, upon 
receiving the first conversion data (Gr, Yr, r), first conversion- 
5 certificate data (Gd, d), second conversion data (Gs, Ys, s) and 
second conversion-certificate data (Gu, u), inputs the voting 
contents input by the user as well as (Gr, Yr, r), (Gd, d), (Gs, 
Ys, s) and (Gu, u) into the encrypted-data creation means 144, 
to calculate the encrypted voting data E(vi) and encryption- 
10 certificate data ( a , t) (step B140-4). The voter terminal 140 
then creates the common-base digital signature Sei for (E(vi), 
(a, t), CIDi) (step B140-5), and transmits (Ei=E(vi), (a, t), 
CIDi), and Sei to the voting server 200 (step B140-6). 
[0098] 

15 The above description is directed to processings up to 

transmission of the voting data. Processings for reception of 
the voting data and subsequent thereto will be described 
hereinafter for the part different from that of the first 
embodiment, with reference to Fig. 14. 

20 [0099] 

The voting server 200, upon receiving (Ei, ( a , t), CIDi), 
and Sek from the authentication server 300, confirms in the 
common-base-signature verification means 202 that Sek is the 
legitimate signature of the authentication server 300 for (Ei, 
25 CIDi) (step B8-1), confirms in the encryption-certificate 
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verification means 207 that Ei is legitimately created (step B9- 
1), retrieves in the electorate list database 201 to confirm that 
CIDi is registered and that vote from CIDi has not been 
received (step BlO-1), records (Ei, ( a , t), CIDi) and Sek in the 
5 voting-data storage device 204, and records the fact that vote 
from CIDi is finished in the electorate list database 201 (step 
Bll-1). The voting sever 200, upon receiving (Ei, ( o; , t), 
CIDi) and Sei from the voter terminals 140, 150, confirms in 
the common-base-signature verification means 202 that Sei is 

10 the legitimate signature of the voter i for (Ei, ( Q5 , t), CIDi) 
(step B8-2), confirms in the encrypted-certificate verification 
means 207 that Ei is legitimately created (step B9-2), retrieves 
in the electorate list database 201 to confirm that CIDi is 
registered and vote from CIDi has not been accepted (step BIO- 

15 2), records (Ei, CIDi) and Sek in the voting-data storage device 
204, and records that the vote from CIDi is finished in the 
electorate list database 201 (step Bll-2). 
[0100] 

The voters having finished the vote through the own 
20 voter terminals 100, 110, 140, after the reception of the voting 
data, may input the public information (p, q, g, Y) received 
from the voting server, first conversion data and first 
conversion-certificate data (Gd, d) into the conversion 
certificate means 701 of the conversion verification server 700, 
25 to verify whether or not the first conversion data and the first 



conversion-certificate data are legitimately created from the 
public information (p, q, g, Y). The voter may also verify 
similarly whether or not the second conversion data (Gs, Ys, s) 
and conversion-certificate data (Gu, u) received from the 
5 encryption servers 400, 410, 440 are legitimately created from 
the public information (p, q, g, Y), by using the conversion 
verification means 701 of the conversion verification server 
700. 
[0101] 

10 Processings subsequent to close of the vote are similar to 

those in the first embodiment, and are omitted herein for 
description. 
[0102] 

Next, advantages of the present embodiment will be 
15 described. 
[0103] 

In the present embodiment, the configurations that the 
voting terminals 100, 110, 140 include the encrypted-data 
creation means 104, 114, 144, respectively, that the voting 

20 server 200 includes the first conversion means 206, and that the 
encryption server 400, 410, 440 include the second conversion 
means 405, 415, 445, respectively, allow the voter terminals 
100, 110, 140 to create the encrypted voting data without 
performing a complicated calculation. Moreover, since the 

25 encrypted voting data is calculated based on both the first 
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conversion data and second conversion data, each of the voting 
server 200 and encryption servers 400, 410, 440 alone cannot 
know the plaintext voting contents from the encrypted voting 
data of the voter. In addition, the encryption-certificate data 
5 created by the encrypted-data creation means 104, 114, 144 can 
be verified by the processing same as the processing for the 
encryption-certificate data created by the encryption means 124, 
134, 154 of the voter terminal 120, 130, 150. Further, since the 
voter terminals 100, 110, 140 include the encrypted-data 

10 creation means 104, 114, 144, respectively, the present 
embodiment is applicable not only to the vote wherein the 
voting contents such as the candidate names are fixed in 
advance but also to the vote (questionnaire) of free description 
wherein the voter decides the voting contents at his discretion 

15 [0104] 

Further, by using the conversion verification means 701, 
whether or not the first conversion data and first conversion- 
certificate data transmitted from the voting server 200 as well 
as the second conversion data and second conversion-certificate 

20 data transmitted from the encryption server 400, 410, 440 are 
legitimately created from the public information (p, q, g, Y) 
can be verified. Accordingly, if the voting server 200 or the 
encryption servers 400, 410, 440 intend to impede the vote by 
transmitting illegitimate conversion data or conversion- 

25 certificate data to a voter terminal, the illegitimate act will be 
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revealed. This suppresses the illegitimate act by the voting 
server 200 or the encryption servers 400. 410, 440. 
[0105] 

[Third Embodiment] 
5 Next, a third embodiment of the present invention will be 

described with reference to the drawings. The anonymous 
electronic voting system of the third embodiment shown in Fig. 
15 is such that an encrypted-certificate verification server 600 
is further provided, an certificate-affixing encryption means 

10 205 is provided instead of the encryption means 203 in the 
voting server 200, certificate-affixing re-encryption means 402, 
412, 442 are provided instead of the re-encryption means 401, 
411, 441 of the encryption server 400, 410, 440, respectively, 
and a encryption-certificate verification means 601 and a re- 

15 encryption-certificate verification means 602 are provided in 
the encryption-certificate verification server 600, in the 
anonymous electronic voting system of the first embodiment 
shown in Fig. 1. 
[0106] 

20 The certificate-affixing encryption means 205 receives 

the public information including encryption public key Y and 
plaintext data v, and outputs E(v) obtained by encrypting v 
based on Y and certificate data w showing that E(v) is obtained 
by legitimately encrypting v based on Y. The certificate- 

25 affixing re-encryption means 402, 412, 442 receives the public 
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information including the encryption public key Y and 
encrypted data E(v), and outputs E'(v) obtained by re- 
encrypting E(v) based on Y and certificate data w' showing 
that E'(v) is obtained by legitimately re-encrypting E(v) based 
5 on Y. 
[0107] 

The encryption-certificate verification means 601 
receives the public information including the encryption public 
key Y and the plaintext data v, and verifies whether or not E(v) 

10 is obtained by legitimately encrypting v based on Y. The re- 
encryption-certificate verification means 602 receives the 
public information including the encryption public key, 
encrypted data E(v), re-encrypted data E'(v) obtained by re- 
encrypting E(v), and certificate data w', and verifies whether or 

15 not E'(v) is obtained by legitimately encrypting E(v) based on 
Y. 

[0108] 

If the techniques described in Patent Publication 1 are 
used, the certificate-affixing encryption means 205 receives the 
20 public information (p, q, g, Y) and plaintext voting data vi, and 
outputs the encrypted voting data E(vi) and certificate data w. 
E(vi) is expressed by the pair (Gi, Vi) and obtained by 
calculating: 

(Gi, Vi) = (g"r mod p, viX Y'^r mod p). 
25 Here, r is a random number selected at random for the plaintext 
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voting data vi. Thus, r is output as the certificate data w. 
[0109] 

The certificate-affixing re-encryption means 205 receives 
the public information (p, q, g, Y) and encrypted voting data 
5 E(vi) = (Gi, Vi), and outputs the encrypted voting data E'(vi) 
and certificate data w'. E'(vi) is expressed by the pair (G'i, 
Vi) and obtained by calculating: 

(G'i, Vi) = (Gi'^s mod p, ViX Y"s mod p). 
Here, s is a random number selected at random for the plaintext 
10 voting data vi. Thus, s is output as the certificate data w'. 
[0110] 

The encryption-certificate verification means 601 
receives vi, (p, q, g, Y), E(vi) = (Gi, Vi) and w, judges the 
certificate to be acceptable if both the following equations: 
15 Gi=G'^e mod p; and 

Vi=viXY''w mod p 
hold, and judges the certificate to be illegitimate if any one of 
them does not hold. 
[0111] 

20 The re-encryption-certificate verification means 602 

receives (Gi, Vi), (p, q, g, Y), E'(vi) = (G'i, Vi) and w, judges 
the certificate to be acceptable if both the following equations: 
G'i=Gi''w' mod p; and 
V'i=ViXY'^w' mod p 
25 hold, and judges the certificate to be illegitimate if any one of 
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them does not hold. 
[0112] 

Next, operation of the anonymous electronic voting 
system of the present embodiment will be described. Figs. 16 
5 to 18 show processings of the voter terminals 100, 110, 140, 
respectively (and processings by the voting server, 
authentication server and encryption server relevant to the 
processings in the voter terminals). Fig. 19 explains 
processings corresponding to the operation from the reception 

10 of the votes to the tally thereof. The operation of the default in 
the present embodiment is similar to that in the first 
embodiment, and the operation of the voter terminals 120, 130, 
150 is similar to that in the present embodiment. Thus, those 
operations are omitted for description. 

15 [0113] 

Hereinafter, processings from the access to the voting 
server 200 by the voter terminals 100, 110, 140 to transmission 
of the voting data will be described. 
[0114] 

20 The voter terminals 100, 110, 140 transmit an encrypted- 

voting-information request to the voting server 200. The 
voting server 200, upon receiving the encrypted-voting- 
information request, creates E(vj) by encrypting vj for all the 
voters vj based on the public information (p, q, g, Y) in the 

25 certificate-affixing encryption means 205, creates the 



certificate certifying that E(vj) is obtained by legitimately 
encrypting vj based on the public information (p, q, g, Y) (step 
C6 in Figs. 17, 18, 19), and returns the public information (p, q, 
g, Y) and the list of (vj, E(vj), wj) to the voter terminals 100, 
5 110, 140 (step C7 in Figs. 16, 17, 18). 
[0115] 

The encryption servers 400, 410, 440, upon receiving 
E(vi) and the public information (p, q, g, Y) from the voter 
terminals, input E(vi) and (p, q, g, Y) into the certificate- 

10 affixing re-encryption means 402, 412, 442, respectively, to 
create E'(vi) by re-encrypting E(vi) and certificate data w'i 
which certificate that E'(vi) is obtained by legitimately 
encrypting E(vi) based on (p, q, g, Y) (steps ClOO-1, CI 10-1, 
C140-1 in Figs. 16, 17, 18), and returns E'(vi) and w'i to the 

15 voting terminals 100, 110, 140 (steps ClOO-2, CI 10-2, C140-2 
in Figs. 16, 17, 18). 
[0116] 

The above description is directed to part of the 
processings up to transmission of the voting data, which is 
20 different from that of the first embodiment. 
[0117] 

Next, processings after reception of the votes will be 
described with reference to the flowchart of Fig. 19. 
[0118] 

25 The voters having performed the vote through the voter 
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terminals 100, 110, 140, after the reception of the voting data, 
transmits the public information (p, q, g, Y) and list of (vj, 
E(vj), wj) received from the voting server 200 as well as 
(E'(vi), w'i) received from the encryption server to the 
5 encryption-certificate verification server 600 (step C15). The 
encryption-certificate verification server 600 inputs the public 
information (p, q, g, Y) and the list of (vj, E(vj), wj) into the 
encryption-certificate verification means 601, to verify whether 
or not all E(vj) are obtained by legitimately encrypting vj based 

10 on (p, q, g, Y) (step C16), and also inputs (E'(vi), E(vi), w') 
into the re-encryption verification means 602, to verify whether 
or not E'(vi) is obtained by legitimately encrypting E(vi) based 
on (p, q, g, Y) (step C17), thereby outputting the results of 
verification (step C18). 

15 [0119] 

Next, the advantages of the present embodiment wil be 
described. 
[0120] 

In the present embodiment, the voting server 200 
20 includes the certificate-affixing encryption means 205, wherein 
the list of (vj, E(vj), wj) is transmitted to the voting terminals, 
the encryption-certificate verification means 601 can verify 
whether or not the E(vj) is obtained by legitimately encrypting 
vj based on (p, q, g, Y). Accordingly, if the voting server 200 
25 transmits (vj, E(v'j), w) to the voting terminals by pretending 
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that (vj, E(v'j), w) is obtained by encrypting vj, the 
illegitimacy will be revealed. This suppresses the illegitimate 
act by the voting server 200. 
[0121] 

5 In addition, the encryption servers 400, 410, 440 include 

the certificate-affixing re-encryption means 402, 412, 442, 
respectively, wherein E'(vi), E(vi), w' are transmitted to the 
voter terminals, and the encryption-certificate verification 
means 602 can verify whether or not E'(vi) is obtained by 

10 legitimately encrypting E(vi) based on (p, q, g, Y). 
Accordingly, if the encryption server returns E'(v), E(vi), w' 
while pretending that E(vi) is legitimately re-encrypted, such 
an illegitimacy will be revealed. This suppresses the 
illegitimate act by the encryption servers 400, 410, 440. 

15 [0122] 

In addition, although the configuration wherein the 
encryption-certificate verification means 601 is provided in 
another server (encryption-certificate verification server 600) 
to verify after the voting is finished, another configuration may 

20 be employed wherein the encryption-certificate verification is 
provided in the voter terminal as a constituent element thereof 
to conduct the verification during the voting. Further, another 
configuration may be employed wherein the verification means 
is provided in the encryption server as a constituent element 

25 thereof to verify only the certificate of encryption by the 
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encryption during the voting, and to verify only the certificate 
data by the encryption server after the voting. Further, another 
configuration may be employed wherein the encryption- 
certificate verification means 601 and re-encryption-certificate 
5 verification means 602 are provided in the voter terminal, to 
perform all the verification during the voting. 
[0123] 

[Fourth Embodiment] 

Next, a fourth embodiment of the present invention will 
10 be described with reference to the drawings. In the anonymous 
electronic voting system of the first embodiment, by allowing a 
single voter terminal to use a plurality of encryption servers, 
the secrecy of the vote can be more robustly secured. The 
present embodiment includes a more number of the encryption 
15 servers for a single voter terminal. 
[0124] 

The anonymous electronic voting system of the fourth 
embodiment shown in Fig. 20 is such that, the voter terminal 
100 connects to k encryption servers 400-1 to 400-k, with k 

20 being an integer equal to or larger than 2, and similarly the 
voter terminals 110, 140 connect to encryption servers 410-1 to 
410-k and encryption servers 440-1 to 440-k, respectively, in 
the anonymous electronic voting system the first embodiment 
shown in Fig. 1. The encryption servers 400-1 to 400-k, 410-1 

25 to 410-k, and 440-1 to 440-k include the re-encryption means 
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401-1 to 401-k, 411-1 to 411-k, and 441-1 to 441-k, 
respectively. The configuration of the voter terminals 100, 110, 
120, 130, 140, 150, voting server 200, and authentication 
server 300 is similar to that in the first embodiment shown in 
5 Fig. 1. 
[0125] 

Next, operation of the anonymous electronic voting 
system of the present embodiment will be described. Figs. 21 
to 23 show processings by the voter terminals 100, 110, 140 

10 (and processings by the voting server, authentication server and 
encryption server, relevant to processings in the voter 
terminals). It is to be noted that operation in the default of the 
present embodiment is similar to that in the first embodiment, 
and that the operation by the voter terminals 120, 130, 150 are 

15 similar to that in the first embodiment. Thus these operations 
are omitted herein for depiction. 
[0126] 

Hereinafter, processings from the access to the voting 
server 200 by the voter terminal 100, 110, 140 to transmission 
20 of voting data will be described. 

[0127] 

The voter terminals 100, 110, 140 transmit an encrypted- 
voting-information request to the voting server 200 (step A5-1 
25 in Figs. 21, 22, 23). The voting server 200, upon receiving the 



56 



encrypted-voting-information request, encrypts all the 
candidate names vj based on the public information (p, q, g, Y), 
to create E(vj) in the encryption means 203 (step A6 in Figs. 21, 
22, 23), to return the public information (p, q, g, Y) and list of 
5 (vj, E(vj)) to the voter terminals 100, 110, 140 (step A7-1 in 
Figs. 21, 22, 23). The voter terminals, upon receiving (p, q, g, 
Y) and the list of (vj, E(vj)), displays the list of vj to the voter 
on the display units 101, 111, 141, the voter elects and inputs a 
candidate vi from the list of vj via the input units 102, 112, 142 
10 (steps AlOO-l AllO-1, A140-1 in Figs. 21, 22, 23). 
[0128] 

The voter terminals 100, 110, 140 then transmit the 
encrypted data E(vi) corresponding to vi and public 
information (p, q, g, Y) to the first encryption servers 400-1, 

15 410-1, 440-1 (steps DlOl-1, Dlll-1, D141-1 in Figs. 21, 22, 
23). The encryption servers 400-1, 410-1, 440-1 input the 
received encrypted data E(vi) and public information (p, q, g, 
Y) into the re-encryption means 401-1, 410-1, 440-1, 
respectively, to calculate E'l(vi) by re-encrypting E(vi) (steps 

20 DlOl-2, Dlll-2, D141-2 in Figs. 21, 22, 23), and return 
E'l(vi) to the voter terminals 100, 110, 140 (steps DlOl-3, 
Dlll-3, D141-3 in Figs. 21, 22, 23). Subsequently, the voter 
terminals 100, 110, 140 transmit E'l(vi) obtained from the first 
encryption servers 400-1, 410-1, 440-1 to the second 

25 encryption servers 400-2, 410-2, 440-2, allowing E'l(vi) to be 



encrypted again to thereby obtain E'2(vi). Hereinafter, these 
processings are iterated for all the encryption servers 400-1 to 
400-k, 410-1 to 410-k, and 440-1 to 440-k, to obtain the 
encrypted data E'k(vi) (steps DlOk-3, Dllk-3, D14k-3 in Figs. 
5 21, 22, 23). The encrypted data E'k(vi) corresponds to the data 
obtained by re-encrypting E(vi) for k times. The voter 
terminals 100, 110, 140 determine E'k(vi) as the encrypted data 
E'(vi) to be transmitted to the authentication server 300 or 
voting server 200 (steps DlOO-6, DllO-5, D140-5 in Figs. 21, 
10 22, 23). Subsequent processings are similar to those in the first 
embodiment. 
[0129] 

Next, the advantages of the present embodiment will be 
described. 
15 [0130] 

In the present embodiment, the voter terminals connect to 
the encryption servers 400-1 to 400-k, encryption servers 410-1 
to 410-k, and encryption servers 440-1 to 440-k, respectively, 
and transmit the encrypted data E'(vi), obtained by re- 

20 encrypting E(vi) transmitted from the voting server 200 for the 
total of k times, to the voting server 200. Accordingly, unless 
all of the voting server and k encryption servers collude 
together, the plaintext voting contents vi cannot be detected 
from E'(vi), and the secrecy of the votes can be strongly 

25 assured. 
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[0131] 

It is to be noted that although the number of encryption 
servers connected to the voter terminals 100, 110, 140 is k for 
each herein, this number need not be the same and may be 
5 different for them. In addition, some voter terminals may share 
some encryption servers as in the case of the first embodiment. 
[0132] 

Moreover, as in the third embodiment shown in Fig. 15, 
each encryption server may include a certificate-affixing re- 
10 encryption means, to create certificate data for the encryption. 
[0133] 

[Fifth Embodiment] 

Next, a fifth embodiment of the present invention will be 

described with reference to the drawings. In the anonymous 
15 electronic voting system of the second embodiment, by 

allowing a single voter terminal to use a plurality of encryption 

servers, the secrecy of the votes can be more robustly secured. 

The present embodiment is such that a larger number of 

encryption servers are employed corresponding to a single 
20 voter terminal. 

[0134] 

The anonymous electronic voting system of the fifth 
embodiment shown in Fig. 24 is such that, the voter terminal 
100 connects to k encryption servers 400-1 to 400-k, with k 
25 being an integer equal to or larger than 2, and the voter 



terminals 110, 140 connect to the encryption servers 410-1 to 
410-k and encryption servers 440-1 to 440-k, respectively, in 
the anonymous electronic voting system of the second 
embodiment shown in Fig. 10. The encryption servers 400-1 to 
5 400-k, 410-1 to 410-k, and 440-1 to 440-k include second 
conversion means 405-1 to 405-k, 415-1 to 415-k, and 445-1 to 
445-k. For an m satisfying l^m^k, the second conversion 
means 405 -m, 415-m, 445 -m of the m-th encryption servers 
400-m, 410-m, 440-m create the second conversion data (Gsm, 
10 Ysm, sm) and second conversion-certificate data (Gum, um). 
Here: 

(Gsm, Ysm, sm) = (g"sm mod p, Y*sm mod p, sm); and 
(Gum,um) = (g"um mod p, um). 
[0135] 

15 The encrypted-data creation means 104, 114, 144 of the 

voter terminals 100, 110, 140, upon input of the first 
conversion data (Gr, Yr, r) = (g"r mod p, Y"r mod p, r) and 
first conversion-certificate data (Gd, d) = (g"r mod p, d) from 
the voting server, and input of the k second conversion data 

20 (Gsl, Ysl, si) to (Gsk, Ysk, sk) and k conversion-certificate 
data (Gul, ul) to (Guk, uk) from the k encryption servers as 
well as the plaintext voting contents, calculate the encrypted 
voting data E(vi) based on the following equation: 
E(vi) = (Gi,Vi) 

25 = (GrXGsl XGs2X • • • XGsk mod p, viX YrX Ysl 
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X Ys2X • • • X Ysk mod p) . 
Furthermore, the encrypted-data creation means 104, 114, 144 
calculate: 

a=Gu X Gdl X Gd2 X • • • X Gdk mod p; 
5 c=HASH (p, q, g, Y, Gi, Vi, a); 

t=cX(r+sl+s2+— +sk) +u+dl+d2+ * • •+dk mod q, 
to obtain encryption-certificate data (a , i) and output the same 
together with the encrypted voting data (Gi, Vi). 
[0137] 

10 This certificate can be verified in the encryption- 

certificate verification means 207 by calculating: 
c=HASH(p,q,g,Y,Gi,Vi,a), 

and confirming whether or not the following relationship holds: 
g''tXGi''{-c} =a mod p. 
15 [0138] 

The configuration of the voter terminals 120, 130, 150, 
voting server 200, and authentication server 300 is similar to 
that of the second embodiment shown in Fig. 10. 
[0139] 

20 Next, operation of the anonymous electronic voting 

system of the present embodiment will be described. Figs. 25 
to 27 show processings by the voter terminals 100, 110, 140 
(and processings by the voting server, authentication server and 
encryption server, relevant to the processings in the voter 

25 terminals). Operation of the voter terminals 120, 130, 150 is 
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similar to that in the second embodiment, and thus is omitted 
for description. 
[0140] 

Hereinafter, processings from access to the voting server 
5 200 by the voter terminals 100, 110, 140 to transmission of the 
voting data will be described. 
[0141] 

The voter terminals 100, 110, 140 transmit a conversion- 
data request to the voting server 200 (step B5 in Figs. 25, 26, 

10 27). The voting server 200, upon receiving the conversion data 
request, inputs the public information (p, q, g, Y) into the first 
conversion means 206, to create the first conversion data (Gr, 
Yr, r) and first conversion-certificate data (Gd, d) (step B6 in 
Figs. 25, 26, 27), and returns (p, q, g, Y), (Gr, Yr, r) and (Gd, 

15 d) to the voter terminals 100, 110, 140 (step B7 in Figs. 25, 26, 
27). The voter terminals 100, 110, 140, upon receiving (p, q, g, 
Y), (Gr, Yr, r) and (Gd, d) from the voting server 200, transmit 
(p, q, g, Y) and a conversion-data request to the encryption 
servers 400-1, 410-1, 440-1, respectively, (steps ElOl-l, Elll- 

20 1, E141-1 in Figs. 25, 26, 27). The encryption servers 400-1, 
410-1, 440-1, upon receiving the public information (p, q, g, Y) 
and conversion-data request, input (p, q, g, Y) into the second 
conversion means 405-1, 415-1, 445-1, respectively, to create 
the second conversion data (Gsl, Ysl, si) and second 

25 conversion-certificate data (Gul, ul) (steps ElOl-2, El 11-2, 
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E141-2 in Figs. 25, 26, 27), and return (Gsl, Ysl, si) and 
(Gul, ul) to the voter terminals 100, 110, 140 (steps ElOl-3, 
Elll-3, E141-3 in Figs. 25, 26, 27). The voter terminals 100, 
110, 140 iterate the same processing for the second encryption 
5 servers 400-1, 410-1, 440-1, and then iterate the same 
processing for all the k encryption servers 400-1 to 400-k, 410- 
1 to 410-k, and 440-1 to 440-k, thereby obtaining k second 
conversion data (Gsl, Ysl, si) to (Gsk, Ysk, sk) and k second 
conversion-certificate data (Gul, ul) to (Guk, uk) (up to steps 
10 ElOk-3, Ellk-3, E14k-3 in Figs. 25, 26, 27). 
[0142] 

Subsequently, the voter terminals 100, 110, 140 input vi 
input by the voter, first conversion data (Gr, Yr, r), first 
conversion-certificate data (Gd, d), k second conversion data 

15 (Gsl, Ysl, si) to (Gsk, Ysk, sk) and k second conversion- 
certificate data (Gul, ul) to (Guk, uk) into the encrypted-data 
creation means 104, 114, 144, to calculate the encrypted voting 
data E(vi) and encryption-certificate data ( Q! , t) (steps ElOO-4, 
El 10-4, E140-4 in Figs. 25, 26, 27). Subsequent processings 

20 are similar to those in the second embodiment. 
[0143] 

Next, advantages of the present embodiment will be 
described. 
[0144] 

25 In the present embodiment, the voter terminals 100, 110, 



140 connect to the encryption servers 400-1 to 400-k, 
encryption servers 410-1 to 410-k, and encryption servers 440- 
1 to 440-k, respectively, and create the encrypted data E(vi) 
based on the first conversion data received from the voting 
5 server 200 and k second conversion data received from k 
encryption servers, and transmit the encrypted data E(vi) to the 
voting server 200. Thus, unless all the voting server and k 
encryption server collude together, the plaintext voting 
contents are not detected from E'(vi), whereby the secrecy of 
10 the votes can be assured more strongly. 
[0145] 

Although the number of the encryption servers connected 
to the voter terminals 100, 110, 140 each is k herein, the 
number need not be the same and may be different. In addition, 
15 some voter terminals may share some second encryption 
servers therebetween. 
[0146] 

Another configuration wherein the voting sever is not 
provided with the first conversion means and the encrypted 

20 voting data E(vi) and encryption-certificate data ( o; , t) may be 
created using only the second conversion data E(vi) and second 
encryption-certificate data received from the k encryption 
servers. In this case, all the voter terminals including the voter 
terminals 100, 110, 140 transmit only a voting-information 

25 request to the voting server 200, and the voting server 200 
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transmits the public information (p, q, g, Y) and candidate 
information to all the voter terminals. The encrypted-data 
creation means 104, 114, 144 of the voter terminal 100, 110, 
140 calculate the encrypted voting data E(vi) and encryption- 
5 certificate data (a , i) based on the k second conversion data 
(Gsl, Ysl, si) to (Gsk, Ysk, sk) and k second conversion- 
certificate data (Gdl, dl) to (Gdk, dk) as follows: 
E(vi) = (Gi,Vi) 

= (GslXGs2X • • • XGsk mod p, viXYslXYs2 
10 X • • - Ysk mod p); 

a =GdlXGd2X---Gdkmodp; 
c=HASH (p, q, g, Y, Gi, Vi, a); 
t=cX(sl+s2+* • •sk)+dl+d2- * - dk mod q. 

[0148] 

15 It is possible for the voting server to calculate beforehand 

the first conversion data and first conversion-certificate data, 
and similarly, and that the public information (p, q, g, Y) is 
distributed beforehand to the encryption server, to calculate 
beforehand the second conversion data and second conversion- 

20 certificate data in advance. 
[0149] 

Although preferred embodiments of the present invention 
are described as above, each of the voter terminals, voting 
server, authentication server, encryption server and encryption- 
25 certificate verification server configuring the above anonymous 
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electronic voting system can be implemented by installing a 
computer program for implementing the function thereof in a 
server computer or personal computer, and by executing the 
program. Such a computer program is generally read into a 
5 magnetic tape or CD-ROM, or a computer via a network. In 
other words, each of the constituent elements in the voter 
terminals, voting server, authentication server, encryption 
server, and encryption-certificate verification server can be 
implemented by software or hardware. 
10 [0150] 

Especially for a computer implementing the voter 
terminal, a computer, such as a cellular phone or a variety of 
potable data assistants (PDA), having a relatively lower 
processing throughput and smaller storage capacity, can be 
15 used so long as the computer has a data processing capability 
and a network connection capability. 
APPLICABLITY TO THE INDUSTRY 
[0151] 

The present invention is applicable to the use of an 
20 anonymous electronic voting system via a the network etc. It is 

also applicable to the use of an anonymity electronic 

questionnaire system via a network etc. which allows free 

description as the contents of vote. 

BRIEF EXPLANATION OF THE DRAWINGS 
25 [0152] 



[Fig. 1] is a block diagram showing the configuration of 
an anonymous electronic voting system according to a first 
embodiment. 

[Fig. 2] is a flowchart showing operation in a default of 
5 the first embodiment. 

[Fig. 3] is a flowchart showing operation of the voter 
terminal 100 in the first embodiment. 

[Fig. 4] is a flowchart showing operation of the voter 
terminal 110 in the first embodiment. 
10 [Fig- 5] is a flowchart showing operation of the voter 

terminal 120 in the first embodiment. 

[Fig. 6] is a flowchart showing operation of the voter 
terminal 130 in the first embodiment. 

[Fig. 7] is a flowchart showing operation of the voter 
15 terminal 140 in the first embodiment. 

[Fig. 8] is a flowchart showing operation of the voter 
terminal 150 in the first embodiment. 

[Fig. 9] is a flowchart showing operation of the voting 
server 200 in the first embodiment. 
20 [Fig- 10] is a block diagram showing the configuration of 

an anonymous electronic voting system according to a second 
embodiment 

[Fig. 11] is a flowchart showing operation of the voter 
terminal 100 in the second embodiment. 
25 [Fig. 12] is a flowchart showing operation of the voter 
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terminal 110 in the second embodiment. 

[Fig. 13] is a flowchart showing operation of the voter 
terminal 140 in the second embodiment. 

[Fig. 14] is a flowchart showing operation of the voter 
5 terminal 200 in the second embodiment. 

[Fig. 15] is a block diagram showing the configuration of 
an anonymous electronic voting system according to a third 
embodiment. 

[Fig. 16] is a flowchart showing operation of the voter 
10 terminal 100 in the third embodiment. 

[Fig. 17] is a flowchart showing operation of the voter 
terminal 110 in the third embodiment. 

[Fig. 18] is a flowchart showing operation of the voter 
terminal 140 in the third embodiment. 
15 [Fig- 19] is a flowchart showing operation of the 

encryption server 600 in the third embodiment. 

[Fig. 20] is a block diagram showing the configuration of 
an anonymous electronic voting system according to afourth 
embodiment. 

20 [Fig- 21] is a flowchart showing operation of the voter 

terminal 100 in the fourth embodiment. 

[Fig. 22] is a flowchart showing operation of the voter 
terminal 110 in the fourth embodiment. 

[Fig. 23] is a flowchart showing operation of the voter 
25 terminal 140 in the fourth embodiment. 
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[Fig. 24] is a block diagram showing the configuration of 
an anonymous electronic voting system according to a fifth 
embodiment. 

[Fig. 25] is a flowchart showing operation of the voter 
5 terminal 100 in the fifth embodiment. 

[Fig. 26] is a flowchart showing operation of the voter 
terminal 110 in the fifth embodiment. 

[Fig. 27] is a flowchart showing operation of the voter 
terminal 140 in the fifth embodiment. 
10 [Fig- 28] is a block diagram of the configuration of a 

conventional anonymous electronic voting system. 



